Splunk Dev
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Saved search table value as array for multi-valued search to a new table

jsleona
New Member
‎08-27-2017 08:17 AM

Hello I am doing a search that results in a table with these values... "| table _time, recState, context, message.connID, message.timeStamp.timeinSecs, message.agentID, message.aNI, host"

The issue is that I need to know durations which is not captured in the events. But I can do... "index=abc sourcetype=xyz message.connID | stats range(_time) as difference". Which provides an individual view of the events with this one unique ID and provides overall event duration.

I am trying to find a way to use the initial table as array values, run multiple searches like the one above, to produce a new table where each row has all the table columns and a new column for "duration" based one each unique message.connID.

Tags (1)
0 Karma
Reply

DalJeanis
Legend
‎08-27-2017 10:32 PM

@jsleona - If you had given us the entire original search, then we could provide a complete solution. I have provided a solution below that uses your given table to get the rest, but it would be much more efficient to get it all in a single pass at the data.

For instance, here's a way to get all the differences, by themselves, at the same time...

index=abc sourcetype=xyz   [your search that gets all that stuff | table message.connID]
| stats range(_time) as difference by message.connID

...and here's a way to get it after your existing search and attach it to your existing search...

 your search that gets all this stuff
 | table _time, recState, context, message.connID, message.timeStamp.timeinSecs, message.agentID, message.aNI, host
 | appendpipe 
     [| table message.connID 
      | format 
      | rename search as mysearch 
      | map search="search index=abc sourcetype=xyz $mysearch$ 
      | stats range(_time) as difference by message.connID 
      ]
 | eventstats max(difference) as difference by message.connID

... however, while that method will almost certainly work, it is also almost certainly not the most efficient way.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...